88 lines
2.6 KiB
Go
88 lines
2.6 KiB
Go
/*
|
|
Copyright Docker attest authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package attestation
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/docker/attest/internal/util"
|
|
"github.com/docker/attest/tlog"
|
|
intoto "github.com/in-toto/in-toto-golang/in_toto"
|
|
"github.com/secure-systems-lab/go-securesystemslib/dsse"
|
|
)
|
|
|
|
// SignDSSE signs a payload with a given signer and uploads the signature to the transparency log.
|
|
func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error) {
|
|
payloadType := intoto.PayloadType
|
|
env := new(Envelope)
|
|
env.Payload = base64Encoding.EncodeToString(payload)
|
|
env.PayloadType = payloadType
|
|
encPayload := dsse.PAE(payloadType, payload)
|
|
|
|
// statement message digest
|
|
hash := util.SHA256(encPayload)
|
|
|
|
// sign message digest
|
|
sig, err := signer.Sign(ctx, hash)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error signing attestation: %w", err)
|
|
}
|
|
|
|
// get Key ID from signer
|
|
keyID, err := signer.KeyID()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error getting public key ID: %w", err)
|
|
}
|
|
|
|
dsseSig := &Signature{
|
|
KeyID: keyID,
|
|
Sig: base64Encoding.EncodeToString(sig),
|
|
}
|
|
if opts.TransparencyLog != nil {
|
|
ext, err := logSignature(ctx, opts.TransparencyLog, sig, encPayload, signer)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to log signature: %w", err)
|
|
}
|
|
dsseSig.Extension = ext
|
|
}
|
|
// add signature to dsse envelope
|
|
env.Signatures = []*Signature{dsseSig}
|
|
|
|
return env, nil
|
|
}
|
|
|
|
// returns a new envelope with the transparency log entry added to the signature extension.
|
|
func logSignature(ctx context.Context, t tlog.TransparencyLog, sig []byte, encPayload []byte, signer dsse.SignerVerifier) (*Extension, error) {
|
|
// get Key ID from signer
|
|
keyID, err := signer.KeyID()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error getting public key ID: %w", err)
|
|
}
|
|
entry, err := t.UploadEntry(ctx, keyID, encPayload, sig, signer)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error uploading TL entry: %w", err)
|
|
}
|
|
|
|
return &Extension{
|
|
Kind: DockerDSSEExtKind,
|
|
Ext: &DockerDSSEExtension{
|
|
TL: entry,
|
|
},
|
|
}, nil
|
|
}
|